Almost nearly six months of warnings that Microsoft Windows users must patch the critical Remote Desktop Protocol vulnerability known as BlueKeep, researchers finally have detected the first known attempt at a large-scale attack aimed at exploiting his remote code execution flaw.
Since last May, security experts have expressed concern that a BlueKeep exploit attack could lead to a major worm attack like the 2017 WannaCry and NotPetya incidents. Fortunately, this recently observed malicious activity has so far fallen short of their worst fears. In this case, the attackers are attempting to infect users with only a cryptominer, rather than a ransomware or destructive disk wiper program. And instead of attempting to spread the malware like a worm, the perpetrators have simply been scanning the internet for computers vulnerable to BlueKeep.
Researcher Kevin Beaumont, who is credited for naming BlueKeep, initially detected the activity via his honeypots that monitor TCP port 3389, which is used by the Windows Remote Desktop protocol. As of Oct. 23, the honeypots began crashing with a Blue Screen of Death and would subsequently reboot. "Over the following weeks, all of the honeypots crashed and rebooted (except one in Australia) with increasing regularity," said Beaumont in a blog post. (See Beaumont's corresponding tweets here.)
From there, Kryptos Logic researcher Marcus Hutchins, the man who discovered how to stop the spread of WannaCry, examined one of Beaumont's crash dumps and determined that a mass exploitation attempt was the cause. "At this point we can assert valid BlueKeep exploit attempts in the wild, with shellcode that even matches that of the shellcode in the BlueKeep Metasploit module!" said Hutchins in a Kryptos company blog post.
The Metasploit module to which Hutchins referred was a working exploit posted on GitHub last September by the Metasploit Project, a pen-testing framework developed in a collaboration between security company Rapid7 and open-source researchers.
Beaumont and Hutchins also separately confirmed the exploit activity to Wired.
The malware the exploit delivered was revealed to be a crypto miner that was reportedly uploaded to VirusTotal on Oct. 21 from a Ukrainian address.
"So far the content being delivered with BlueKeep appears to be frankly a bit lame – coin miners aren’t exactly a big threat – however, it is clear people now understand how to execute attacks on random targets, and they are starting to do it," wrote Beaumont in his blog post. "This activity doesn't cause me to worry, but it does cause my spider sense to say ‘this will get worse, later’.
Beaumont said that more than 724,000 systems are still exposed still have not patched the BlueKeep vulnerability, despite myriad warnings from Microsoft and U.S. government agencies. "If somebody makes a reliable worm for this vulnerability – which to be clear has not happened here - expect global consequences as it will then spread inside internal networks."
"It is curious that this publicly known wormable vulnerability, known to everyone who would care to know for at least six months, took this long to get detectably weaponized," added Hutchins in his own blog post. "One might theorize that attackers know they have essentially one shot at using it at scale, and it becomes a game of chicken as to who will do it first. It is also worth noting that mass exploitation for gain can be difficult, owing to the risks involved."
"Although this alleged activity is concerning, the information security community (correctly) predicted much worse potential scenarios," Hutchins continued. "Based on our data we are not seeing a spike in indiscriminate scanning on the vulnerable port like we saw when EternalBlue was wormed across the Internet in what is now known as the WannaCry attack. It seems likely that a low-level actor scanned the Internet and opportunistically infected vulnerable hosts using out-of-the-box penetration testing utilities."